Load Balancers

Load balancers make multiple systems or services appear like a single resource, allowing both redundancy and increased ability to handle the load by distributing it to more than one system. Load balancers are also commonly used to allow system upgrades by redirecting traffic away from systems that will be upgraded and then returning that traffic after the systems are patched or upgraded. Load balancers are also used to provide a centralized defense.

A proxy load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Proxy load balancers are used to increase the capacity of concurrent users and the reliability of applications. Proxy load balancers improve the overall performance of applications by decreasing the overall burden on servers associated with managing and maintaining applications and network sessions, as well as by performing application-specific tasks. Proxy load balancers are normally grouped into two categories: layer 4 and layer 7. Layer 4 proxy load balancers act upon data found in Network and Transport layer protocols (IP, TCP, FTP, and UDP). Layer 7 proxy load balancers distribute requests based on data found in application layer protocols such as HTTP. Proxy load balancers ensure reliability and availability by monitoring the health of applications and sending requests only to servers and applications that can respond in a timely manner.

Intrusion Detection Systems and Intrusion Prevention Systems

Another element of protection in security architecture is the introduction of an intrusion detection system (IDS). An IDS gathers and analyzes information from the computer or a network it is monitoring. An IDS can be considered a type of network management and monitoring tool. The key to what type of activity the IDS will detect depends on where the sensor is placed. Before discussing the types of intrusion detection systems, let's first review the various ways in which an intrusion is detected.

Intrusions are detected in one of three basic ways:

• Signature Recognition Signature recognition relies on a database of known attacks, and it is also known as misuse detection. Each known attack is loaded into the IDS in the form of a signature. Once the signatures are loaded, the IDS can begin to guard the network. The signatures are usually given a number or name so that they are easily identified when an attack occurs. For example, these signatures may include the Ping of Death, SYN floods, or Smurf DoS. The biggest disadvantage to signature recognition is that these systems can trigger only on signatures that are known and loaded. Polymorphic attacks and encrypted traffic may not be properly assessed. Tools such as Snort are still an invaluable part of the security administrator's arsenal, and custom signatures will frequently be used depending on the organizational environment. They should, however, be combined with other measures that ensure the integrity of the system on which they are installed for the goal of defense in depth.
• Anomaly Detection Anomaly detection systems detect an intrusion based on the fixed behavior of a set of characteristics. If an attacker can slowly change their activity over time, an anomaly-based system may not detect the attack and believe that the activity is actually acceptable. Anomaly detection is good at spotting behavior that is significantly different from normal activity. Normal activity is captured over days, weeks, or even months to establish a baseline. Rules can be written to compare current behavior with the baseline to find any anomalies. The CASP+ exam may also use the word heuristics to describe monitoring behavior.
• Protocol Decoding This type of system uses models that are built on the TCP/IP stack and understands their specifications. Protocol-decoding IDS systems have the ability to reassemble packets and look at higher-layer activity. If the IDS knows the normal activity of the protocol, it can pick out abnormal activity. Protocol-decoding intrusion detection requires the IDS to maintain state information. To detect these intrusions effectively, an IDS must understand a wide variety of Application layer protocols. This can be useful in a situation where an attacker is attempting to use a custom TCP stack on a compromised machine to evade detection.

Here are some of the basic components of an IDS implementation:

• Sensors: Detects and sends data to the system.
• Central monitoring system: Processes and analyzes data sent from sensors.
• Report analysis: Offers information about how to counteract a specific event.
• Database and storage components: Perform trend analysis and then store the IP address and information about the attacker.
• Response box: Inputs information from the previous components and forms an appropriate response. For example, the response box might decide to block, drop, or even redirect network traffic.
• Alert definitions: An alert definition is basically the who, what, when, where, and why of the intrusions that occur. The first step in creating an alert definition is the rule action. These rule actions let the IDS know what to do when it finds a packet that is the same as the criteria of the rule.
  • Alert: Generates an alert using the selected alert method and then logs the packet
  • Log: Logs the packet
  • Pass: Ignores the packet
  • Activate: Alerts and then turns on another dynamic rule
  • Dynamic: Remains idle until activated by an activate rule and then acts as log rule
  • Drop: Blocks the log of the packet
  • Reject: Blocks the packet, logs it, and then sends a TCP reset if the protocol is TCP. If UDP, an ICMP port unreachable message is sent.
  • Sdrop: Blocks the packet but does not log it

There are three types of thresholds that you can apply to your IDS system's alerts. Most monitoring tools should support these thresholds.

• Fixed Threshold Alert-based technology is often triggered by the use of a fixed threshold. Metrics are used and often based on a fixed calculation using various numeric values.
• State-Based Threshold Metrics are sometimes used with discrete values that involve states of the information system. State-based thresholds have alerts that occur when there is a change in the metric value. An example of a state-based threshold is when a specific program process has started.
• Historical Threshold Metrics are compared by using historical thresholds, that is, numerical values from the past and present over a set time frame. Network engineers often use historical thresholds to compare traffic spikes during the current week versus past weeks.

Alert fatigue is the overall threshold where it becomes too difficult for a security analyst to discern important alerts from the stream of all of the information being received. Security analysts have to review each and every alert to decide if it really is a threat or just another false positive, as all of the alerts may appear to be the same at first. When magnified by multiple systems delivering such alerts, it can quickly become overwhelming when there are so many alerts that it becomes difficult to distinguish the true positives from the false positives. Some of these alerts require aggregation before the combination can be confirmed as a true positive and the potential business impact can be assessed. This is why many security operation centers have tiered responders with different levels of expertise evaluating the alerts.

Placement of such an IDS system is another important concern. Placement requires consideration because a sensor in the demilitarized zone (DMZ) will work well at detecting misuse but will prove useless against attackers who have already compromised a system and are inside the network. Once placement of sensors has been determined, they still require specific tuning and baselining to learn normal traffic patterns.

IDS sensors can be placed externally in the DMZ or inside the network. Sensors may also be placed on specific systems that are mission critical. Sensor placement will in part drive the decision as to what type of intrusion system is deployed. Sensors may also be placed inline where one IDS performs signature-based scanning and permits valid traffic to the second IDS, which then performs heuristic or another scan type. This helps guarantee that a bottleneck is not created by placing too much demand on a single IDS. Intrusion detection systems are divided into two broad categories: network intrusion detection system and host intrusion detection system.

Web Application Firewalls

Web application firewalls (WAFs) are a technology that helps address the concerns of web application security. The WAF is not a replacement for a traditional firewall, but it adds another layer of protection. Whereas traditional firewalls block or allow traffic, WAFs can protect against cross-site scripting (XSS), hidden field tampering, cookie poisoning, and even SQL injection attacks. WAFs operate by inspecting the higher levels of the TCP/IP OSI layers and also tie in more closely with specific web apps.

Think of it in this way: a conventional firewall may deny inbound traffic at the perimeter. A WAF is a firewall sitting between a web client and a web server, analyzing OSI layer 7 traffic. These devices have the ability to perform deep packet inspection and look at requests and responses within the HTTP/HTTPS/SOAP/XML-RPC/Web Service layers. As with any security technology, WAFs are not 100 percent effective; there are various methods and tools used to detect and bypass these firewalls.

Two examples of automated detection tools are w3af and wafw00f. There are many more. Also available are various methods of exploiting inherent vulnerabilities in WAFs, which differ according to the WAF technology. One of the most prominent is cross-site scripting (XSS), which is one of the very things WAFs are designed to prevent. Some WAFs can detect attack signatures and try to identify a specific attack, whereas others look for abnormal behavior that doesn't fit the website's normal traffic patterns.

It may not be a viable option for a company or organization to cease communications across the Internet. This is where the WAF comes into the picture. A WAF can be monumental in protecting these organizations from emerging threats inherent in social networking and other web applications that the conventional firewall was not designed to defend against. One open-source example of a WAF is ModSecurity. Commercial options are offered through Barracuda Networks, Fortinet, and Cisco Systems.

Network Access Control

For large and small businesses alike, achieving optimal network security is a never-ending quest. A CASP+ plays a big part in securing critical systems. One potential solution to these issues is network access control (NAC). NAC offers administrators a way to verify that devices meet certain health standards before they're allowed to connect to the network. Laptops, desktop computers, or any device that doesn't comply with predefined requirements can be prevented from joining the network or can be relegated to a controlled network where access is restricted until the device is brought up to the required security standards. Several types of NAC solutions are available:

• Infrastructure-based NAC requires an organization to upgrade its hardware and operating systems. If your IT organization plans to roll out Windows 11 or has budgeted an upgrade of your Cisco infrastructure, you're well positioned to take advantage of infrastructure NAC.
• Endpoint-based NAC requires the installation of software agents on each network client. These devices are then managed by a centralized management console.
• Hardware-based NAC requires the installation of a network appliance. The appliance monitors for specific behavior and can limit device connectivity should noncompliant activity be detected.

Virtual Private Networks

One item that has really changed remote access is the increased number of ways that individuals can communicate with their company and clients. Hotels, airports, restaurants, coffee shops, and so forth now routinely offer Internet access. It's a low-cost way to get connectivity, yet it's a public network. This is why virtual private networks were created.

A virtual private network (VPN) is a mechanism for providing secure, reliable transport over the Internet. VPNs are secure virtual networks built on top of physical networks. The value of a VPN lies in the ability to encrypt data between the endpoints that define the VPN network. Because the data is encrypted, outside observers on a public network are limited in what they can see or access. From a security standpoint, it is important to understand that a VPN is not a protocol. It's a method of using protocols to facilitate secure communications.

VPNs can be either hardware- or software-based. Both hardware and software VPNs offer real value and help protect sensitive company data.

• Hardware-Based VPNs Hardware-based VPNs offer the ability to move the computational duties from the CPU to hardware. The hardware add-on product handles computationally intensive VPN tasks and can be useful for connecting remote branch offices. These solutions work well but require the purchase of additional hardware, which adds complexity to the network.
• Software-Based VPNs Software-based VPNs are easy to build and implement. Several companies, such as PublicVPN.com, Anonymizer.com, VyprVPN.com, and many others, offer quick, easy-to-install software VPN solutions. These options do not require an investment in additional hardware and are extremely valuable for smaller firms with a limited IT staff because they are easier for the IT engineer to set up and maintain. However, in these situations, the company is relying on a third-party VPN provider. This approach could be problematic if companies need to control all aspects of their communications, such as partner business partner agreements (BPAs).

Companies continually work to improve protocols designed for use with VPNs. For example, in the mid-1990s, Microsoft led a consortium of networking companies to extend the Point-to-Point Protocol (PPP). The goal of the project was to build a set of protocols designed to work within the realm of VPNs. The result of this work was the Point-to-Point Tunneling Protocol (PPTP). The purpose of PPTP was to enable the secure transfer of data from a remote user to a server via a VPN. A VPN can be implemented using several different protocols, but the two that will be discussed here are IPsec and SSL. At a high level, the key distinction between the two is that IPsec VPNs operate at the Network layer, while SSL VPNs operate at the Application layer.

In the context of an SSL VPN, you'll recall that the SSL protocol is no longer regarded as secure. The VPN is actually using TLS. While this VPN implementation is still popularly referred to as an SSL VPN, as a CASP+ you must understand that SSL/TLS is in use.

A big advantage to using an SSL/TLS VPN is stricter control, governing access per application rather than to the network as a whole. In fact, restricting access per user is simpler with SSL/TLS VPNs than with an IPsec VPN. The final and arguably the most common reason why small organizations lean toward an SSL/TLS VPN is cost. IPsec VPNs require specialized end-user software, which likely includes licensing costs. Such costly client software isn't a requirement when connecting via SSL/TLS, which is a common feature in any browser today.

Domain Name System Security Extensions

Before service is enabled on any DNS server, it should be secured. Some of the most popular DNS server software, such as the Internet Systems Consortium's BIND, has suffered from a high number of vulnerabilities in the past that have allowed attackers to gain access to and tamper with DNS servers. Alternatives to BIND such as Unbound are available, and you should consider them if your infrastructure permits. DNS is one of the services that you should secure, as there are many ways an attacker can target DNS. One such attack is DNS cache poisoning. This type of attack sends fake entries to a DNS server to corrupt the information stored there. DNS can also be susceptible to denial-of-service (DoS) attacks and unauthorized zone transfers. DNS uses UDP port 53 for DNS queries and TCP port 53 for zone transfers. Securing the zone transfer process is an important security control.

The integrity and availability of DNS are critical for the health of the Internet. One common approach to securing DNS is to manage two DNS servers: one internal and one external. Another approach is using Domain Name System Security Extensions (DNSSEC). DNSSEC is a real consideration, since one of the big issues with running two DNS servers is that the external DNS server that provides information to external hosts remains vulnerable to attack. This is because DNS servers have no mechanism of trust. A DNS client cannot normally determine whether a DNS reply is valid.

With DNSSEC, the DNS server provides a signature and digitally signs every response. For DNSSEC to function properly, authentication keys have to be distributed before use. Otherwise, DNSSEC is of little use if the client has no means to validate the authentication. DNSSEC authenticates only the DNS server and not the content. Even if the DNS server is configured for DNSSEC, situations can arise where the server may sign the results for a domain that it is impersonating. You can read more about DNSSEC at www.dnssec.net.

Firewall/Unified Threat Management/Next-Generation Firewall

Today, a range of security devices are available to help security professionals secure critical assets. These include antivirus, anti-spyware, host-based firewalls, next-generation firewalls (NGFWs), intrusion detection and prevention systems, and so on. But what if you could combine much of this technology into one common device?

Actually, you can do that, as it is what unified threat management (UTM) is designed to accomplish. UTM is an all-in-one security product that can include multiple security functions rolled into a single appliance. UTMs can provide network firewalling, network intrusion prevention, and gateway antivirus. They also provide gateway anti-spam and offer encrypted network tunnels via VPN capability, content filtering, and log/audit reporting. The real benefit of UTM is simplicity and an all-in-one approach to data flow enforcement. For smaller organizations, a single purchase covers most common security needs, and the device can be controlled and configured from a single management console. UTM devices are typically placed at the edge of the network. They offer the convenience of an all-in-one device, but the drawback is that if the device fails, there is no remaining protection.

Network Address Translation and Internet Gateway

Although IPv6 is becoming used by more organizations today, IPv4 is still the industry standard. IPv4 worked well for many years, but as more and more devices have been added to the Internet, the number of free addresses has decreased. IPv4 provides for approximately 4.3 billion addresses, which may seem like a lot, but these addresses have been used up at an increasingly rapid rate, mostly due to all of the Class B networks already allocated.

Several methods were adopted to allow for better allocation of IPv4 addresses and to extend the use of the existing address space. One was the concept of variable-length subnet masking (VLSM). VLSM was introduced to allow flexible subdivision into varying network sizes. Another was the introduction of network address translation (NAT). NAT, which is covered in RFC 1918, set aside three ranges of addresses to be designated as private: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. NAT was designed to help with the shortage of IPv4 addresses, to provide a low level of security, and to ease network administration for small to medium businesses.

A network address translation (NAT) gateway (NGW) is used to enable devices in a private subnet with no public IP addresses to connect to the Internet or cloud services. It also prevents the Internet from connecting directly to those devices. An Internet gateway (IGW), on the other hand, allows a logical connection between an instance with a public IP to connect to the Internet.

Forward/Transparent and Reverse Proxy

A popular network component that is used for protection is a proxy. Many think of a proxy as a mechanism that “stands in place of.” A transparent proxy, also called a forward proxy, inline proxy, intercepting proxy, or forced proxy, is a server that intercepts the connection between an end user or device and the Internet. It is called transparent since it does not modify any requests and responses and can block malicious incoming traffic.

Using a transparent proxy, for example, an end user on a corporate network requests to view a page on www.cnn.com and views the same information as they would on their local connection at home. The page is delivered from a transparent proxy running on the corporate network. The user's experience is precisely the same, but the user's employer now has the ability to monitor their behavior and restrict access to specific websites. Squid Transparent Proxy Server is a popular open-source transparent proxy tool.

A reverse proxy server sits at the edge of the network and handles the policy management and traffic routing. It receives the connection request from the user, completes a TCP three-way handshake, connects with the origin server, and sends the original request. The reverse proxy is well suited for scrubbing incoming application traffic before it goes to a backend server. This helps an organization with DDoS protection to minimize impact, helps with web application protection to drop malicious packets, and can even reroute traffic to ensure availability.

Routers

Another critical network component is the router. Routers are considered OSI layer 3 components. A router's primary purpose is to forward packets out the correct port toward their destination through a process known as routing. Routers primarily work with two items: routing protocols and routable protocols. A good example of a routable protocol is IP. Routers examine IP packet headers and determine the location to where they should be forwarded. The header contains the destination address. The router is already aware which port connects to the network for which that destination is local. The path they take is determined by the routing protocol. Examples of routing protocols include Routing Information Protocol (RIP) and Open Shortest Path First (OSPF). Routers can forward IP packets to networks that have the same or different medium types. Routers can also be targeted by attackers. Some common attacks include route poisoning and Internet Control Message Protocol (ICMP) redirect attacks.

Improper router configurations are a big security risk. Although physical controls are important, software controls are needed to prevent router attacks.

• Transport Security Increased network security risks and regulatory compliances have driven the need for wide area network (WAN) transport security. Examples of transport security include IPsec, TLS, and SSL. IPsec is the Internet standard for security. Designed as an add-on to IPv4, it is also integrated with IPv6. TLS and SSL perform the same service but are implemented differently. The most widely used version of TLS is v1.2, but the latest, v1.3, is already supported in the current version of most major web browsers.
• Port Security Port security contains layer 2 traffic, which is a control feature of the Cisco Catalyst Switches. Port security gives security analysts and network administrators the capability to configure individual switch ports, which allow only a specific number of source MAC addresses to ingress the port. Port security's primary function is to deter the addition by users of what are known as dumb switches that illegally extend the reach of the network. Adding unmanaged devices can complicate troubleshooting for administrators and is not recommended. Port security is enabled with default parameters by issuing a single command on an interface.
• Remotely Triggered Black Hole Filtering Remotely Triggered Black Hole (RTBH) filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge, or anywhere else in the network, specifically to drop undesirable traffic before it enters the service provider network.

  One major area that needs to be mitigated is distributed denial-of-service (DDoS) attacks. For DDoS protection, once an attack is detected, black holing can be used to drop all DDoS attack traffic at the edge of an Internet service provider (ISP) network, based on either the destination or source IP address. Black holing is done by forwarding this traffic to a Null0 interface. A DDoS attack is then launched from the Internet targeting the server.

  In addition to service degradation of the target, the entire internal infrastructure will be affected due to high bandwidth consumption and processor utilization. Because of the distributed nature of the attack, network administrators must block all inbound traffic destined for the victim at the edge.

• Trunking Security Trunking security is an important concern when discussing virtual local area networks (VLANs). VLANs started as a security and traffic control used to separate network traffic. The VLAN model works by separating its users into workgroups, such as engineering, marketing, and sales. Today, many companies prefer campus-wide VLANs because VLANs have to span and be trunked across the entire network. A trunk is simply a link between two switches that carries more than one VLAN's data.

  From a security perspective, this is a concern. If an attacker can get access to the trunked connection, they can potentially jump from one VLAN to another. This is called VLAN hopping. It is important to make sure that trunked connections are secure so that malicious activity cannot occur. Cisco has several ways to incorporate VLAN traffic for trunking. These techniques may include the IEEE's implementation of 802.1Q or Cisco's Inter-Switch Link (ISL).

Distributed denial-of-service (DDoS) attacks have been around a long time, and they're still a valid area of concern. Let's look at a few protective measures that can be taken for a router or switch.

• Route Protection Route or path protection means to ensure that controls are in place to protect the network flow end to end. That's a general definition, but the actual technique depends highly on what type of network is being protected, be it an Optical Mesh network, a Multi-Protocol Label Switching (MPLS) network, or something else.
• DDoS Protection Distributed denial-of-service (DDoS) attacks can be crippling to an organization, particularly if the traffic is so debilitating that the network engineer loses control and connectivity to devices to help stem the attack. One mitigating technique is to use remotely triggered black hole routing. As the name suggests, if network traffic is identified as unwanted, that traffic is sent to the network version of a “black hole” and dropped.

Mail Security

Many individuals would agree that email is one of the greatest inventions to come out of the development of the Internet. It is the most used Internet application. Just take a look around the office and see how many people use Android phones, iPhones, laptops, tablets, and other devices that provide email services. Email provides individuals with the ability to communicate electronically through the Internet or a data communications network.

Although email has many great features and provides a level of communication previously not possible, it's not without its problems. Now, before we beat it up too much, you must keep in mind that email was designed in a different era. Decades ago, security was not as much of a driving issue as usability. By default, email sends information via clear text, so it is susceptible to eavesdropping and interception. Email can be easily spoofed so that the true identity of the sender may be masked. Email is also a major conduit for spam, phishing, and viruses. Spam is unsolicited bulk mail. Studies by Symantec and others have found that spam is much more malicious than in the past. Although a large amount of spam is used to peddle fake drugs, counterfeit software, and fake designer goods, it's more targeted to inserting malware via malicious URLs today.

As for functionality, email operates by means of several underlying services, which can include the following:

• Simple Mail Transfer Protocol Simple Mail Transfer Protocol (SMTP) is used to send mail and relay mail to other SMTP mail servers and uses port 25 by default. The secure version uses SSL/TLS on port 587 or 465.
• Post Office Protocol Post Office Protocol (POP3), the current version, is widely used to retrieve messages from a mail server. POP3 performs authentication in clear text on port 110. The secure version uses SSL/TLS on port 995.
• Internet Message Access Protocol Internet Message Access Protocol (IMAP) can be used as a replacement for POP3 and offers advantages over POP3 for mobile users. IMAP has the ability to work with mail remotely and uses port 143. The secure version uses SSL/TLS on port 993.

Basic email operation consists of the SMTP service being used to send messages to the mail server. To retrieve mail, the client application, such as Outlook, may use either POP or IMAP. Using a tool like Wireshark, it is very easy to capture clear-text email for review and reinforces the importance of protecting email with PGP, SSL/TLS, or other encryption methods.

Application Programming Interface Gateway/Extensible Markup Language Gateway

Today's systems are much more distributed than in the past and have a much greater reliance on the Internet. At the same time, there has been a move toward service-enabled delivery of services.

Have you noticed that many of the web-based attacks today no longer target web servers but are focused on web applications? Web-based applications continue to grow at a rapid pace, and securing them is a huge job. Application programming interfaces (APIs) are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond. This definition means that programs written in any language can implement the API and make requests.

APIs are tremendously useful for building interfaces between systems, but they can also be a point of vulnerability if they are not properly secured. API security relies on authentication, authorization, proper data scoping to ensure that too much data isn't released, rate limiting, input filtering, and appropriate monitoring and logging to remain secure. An API gateway sits between an external client and the application running on premises or in the cloud. An API gateway can validate an incoming request, send it to the right service, and deliver the correct response. An API gateway can act as an API proxy so the original API is not exposed.

Web services also make use of Extensible Markup Language (XML) messages. XML is a popular format for encoding data, and it is widely used for a variety of applications, ranging from document formats such as Microsoft Office to web formats. An XML gateway serves as an entry point for web traffic and an outbound proxy for internal web service consumers.

Traffic mirroring

Traffic mirroring is used by cloud vendors to monitor network traffic. Traffic mirroring copies the inbound and outbound traffic from the network interfaces that are attached to the cloud instance or load balancer. The purpose of a traffic mirror is to take the data and share with monitoring tools for content inspection, threat monitoring, and often, troubleshooting when issues arise.

Sensors

Sensors are being increasingly used in cybersecurity and could be a firewall log or a network tap. A sensor collects information about the network and uses it in tools around the environment, doing data analysis to make decisions about safety measures and defense. Host-based sensors provide accurate information, and network sensors provide extensive coverage but can be vulnerable to security threat actors. Developing a secure sensor network requires redundancy to ensure adequate protection against cyberattack.

Microsegmentation

Microsegmentation is a method that is used in network security that allows a datacenter to be cut up into small and distinct security segments. After the segmentation, a security architect can define security controls and deliver services for each unique segment. This allows for extremely flexible security policies and application-level security controls, increasing resistance to a cyberattack.

Local Area Network/Virtual Local Area Network

A local area network (LAN) is a computer network that connects computers within a local area such as a home, school, or office. A virtual LAN (VLAN) is used to segment network traffic. VLANs offer many benefits to an organization because they allow the segmentation of network users and resources that are connected administratively to defined ports on a switch. VLANs reduce network congestion and increase bandwidth. VLANs result in smaller broadcast domains. VLANs can also be used to separate portions of the network that have lower levels of security. This defense-in-depth technique can use specific VLANs to include additional protection against sniffing, password attacks, and hijacking attempts. Although VLAN separation can be defeated, this will add a layer of defense that will keep out most casual attackers.

To increase security, network partitioning will segment systems into independent subnets. Network partitioning requires a review of potential network access points. Once these access points have been defined, a number of different technologies can be used to segment the network. Common and upcoming technologies include the use of packet filters, stateful inspection, application proxy firewalls, web application firewalls, multilayer switching, dispersive routing, and virtual LANs (VLANs)/virtual extensible LANs (VXLANs).

Jump Box

A jump box, oftentimes called a jump host or jump server, is a hardened device used to manage assets in different security zones. A jump box is used by administrators logging in as an origin point to then connect, or jump, to another server or untrusted environment. This is a way to keep threat actors from stealing credentials. Jump boxes are slowly evolving into a technology called a secure admin workstation (SAW). Neither a jump box nor a SAW should ever be used for a nonadministrative task like surfing the Internet, opening email, or using office applications. It is strictly used by administrators for administrator tasks.

Screened Subnet

A screened host firewall adds a router and screened host. The router is typically configured to see only one host computer on the intranet network. Users on the intranet have to connect to the Internet through this host computer, and external users cannot directly access other computers on the intranet.

A screened subnet sets up a type of demilitarized zone (DMZ). A screened subnet is a solution that organizations can implement to offer external-facing resources while keeping the internal network protected. Servers that host websites or provide public services are often placed within the DMZ.

DMZs are typically set up to give external users access to services within the DMZ. Basically, shared services such as an external-facing web server, email, and DNS can be placed within a DMZ; the DMZ provides no other access to services located within the internal network. Of course, what traffic is allowed or denied depends on the rules put into effect on either side of the screened subnet. Screened subnets and DMZs are the basis for most modern network designs.

Organizations implement a screened subnet by configuring a firewall with two sets of rules, segmenting a network between the Internet and two firewalls. This allows the organization to offer services to the public by letting Internet traffic go through a firewall less restrictive than the firewall protecting the internal network. A screened subnet is the middle segment, which also provides an extra layer of protection by adding a perimeter network that further isolates the internal network from the Internet. The screened subnet option is not an expensive one for an organization when using a triple-homed firewall, or a firewall with three network ports.

Data Zones

Examine security in your network from endpoint to endpoint and consider building security and data zones of protection to limit the reach of an attacker. This extends from where traffic enters the network to where users initially connect to the network and its resources. This requires defense in depth and availability controls. One of several approaches can be used to build different zones. These approaches include the following:

• Vector-Oriented This approach focuses on common vectors used to launch an attack. Examples include disabling autorun on USB thumb drives, disabling USB ports, and removing CD/DVD burners.
• Information-Centric This approach focuses on layering controls on top of the data. Examples include information controls, application controls, host controls, and network controls.
• Protected Enclaves This approach specifies that some areas are of greater importance than others. Controls may include VPNs, strategic placement of firewalls, deployment of VLANs, and restricted access to critical segments of the network.

When considering endpoint security and data zones, who is the bigger threat: insiders or outsiders? Although the numbers vary depending on what report you consult, a large number of attacks are launched by insiders. A trusted insider who decides to act maliciously may bypass controls to access, view, alter, destroy, or remove data in ways that the employer disallows.

Outsiders may seek to access, view, alter, destroy, or remove data or information. Incidentally, you must consider the occasional external breach, such as malware, which provides an outsider with access to the inside network. Currently, there are reports of conventional attacks having high rates of success. This includes simple attack mechanisms such as various types of malware, spear phishing, other social engineering attacks, and so on. Once inside, the sophistication level of these attacks increases dramatically as attackers employ advanced privilege escalation- and configuration-specific exploits in order to provide future access, exfiltrate data, and evade security mechanisms. The configuration of a data zone will help regulation of inbound and outbound traffic through the policies created.

Staging Environments

A staging environment is another layer of defense in depth where an enterprise can model their production environment in order to test upgraded, patched, or new software to ensure that when the new code or software is deployed it doesn't break existing infrastructure or create new vulnerabilities. When an organization has a staging environment, it needs to match the existing environment as closely as possible so that analysis is accurate.

A best practice in a staging environment is to allow the software to run for a set period of time. In the past, it has been up to seven days before deployment in a live environment. However, the SolarWinds breach of 2021 taught the cyber community just how crafty an attacker could be. They are aware of our best practices, and the malware that was used was set up to execute after 14 days in order to bypass a staging environment. As mentioned, it is another layer in defense in depth, and bad actors know how it is used.

Guest Environments

Any large organization will occasionally have scenarios where there are visitors to the organization who need access to a guest sharing environment. These individuals are not employees of the organization and could be bringing unmanaged devices with them. For obvious security reasons, these assets should not be joined to a protected domain. For that reason alone, anyone who is coming to an organization to take a class or visit the campus should sign a terms of use agreement and have web access only for those unmanaged devices. If they are allowed to work on sensitive or classified materials, the following should be put in place:

• Configure a timeout policy so authentication happens daily.
• Create an automatically assigned classification type for any sensitive materials guests are touching.
• Set up multifactor authentication (MFA) for guests.
• Conduct reviews to validate permissions to corporate sites and information.

VPC/Virtual Network

A virtual private cloud (VPC) is an on-demand highly secured cloud environment hosted inside a public cloud. Many VPC customers will use this type of setting for testing code, storing information, or hosting a website. Many cloud providers offer a VPC type of ecosystem and require a more secure connection.

A virtual network (VNET) is exactly what it sounds like. A VNET is where all devices, virtual machines, and datacenters are created and maintained with software. Most cloud providers offering VNET capabilities give customers a lot of control over their instances with IP addressing, subnets, routing tables, and firewall rules. This allows for scalability and efficiency.

Availability Zone

Another element of defense in depth is the creation of availability zones. The purpose of an availability zone is to have highly available independent locations within regions for failover and redundancy. For major cloud providers, a single zone has multiple physical datacenters.

Policies/Security Groups

Policies are high-level documents, developed by management, to transmit the overall strategy and philosophy of management to all employees. Senior management and process owners are responsible for the organization. Policies are a template in the sense that they apply guidance to the wishes of management. Policies detail, define, and specify what is expected from employees and how management intends to meet the needs of customers, employees, and stakeholders.

There are two basic ways in which policies can be developed. In some organizations, policy development starts at the top of the organization. This approach, known as top-down policy development, means that policies are pushed down from senior management to the lower layers of the company. The big advantage of top-down policy development is that it ensures that policy is aligned with the strategy and vision of senior management. A downside of such a process is that it requires a substantial amount of time to implement and may not fully address the operational concerns of average employees. An alternative approach would be to develop policy from the bottom up. The bottom-up approach to policy development addresses the concerns of average employees. The process starts with their input and concerns and builds on known risks that employees and managers of organizational groups have identified. The big downside is that the process may not always map well to senior management's strategy.

For modern cloud infrastructures, you can use tools such as AWS Firewall Manager security group policies to manage Amazon Virtual Private Cloud security groups for your organization in AWS Organizations. You can apply centrally controlled security group policies to your entire organization or to a select subset of your accounts and resources. You can monitor and manage the security group policies that are in use in your organization, with auditing and usage security group policies.

You should be able to identify specific types of policies before attempting the CASP+ exam. Some basic policy types include the following:

• Regulatory A regulatory policy makes certain that the organization's standards are in accordance with local, state, and federal laws. Industries that make frequent use of these documents include healthcare, public utilities, refining, education, and federal agencies.
• Informative An informative policy is not for enforcement; it is created to teach or help employees and others understand specific rules. The goal of informative policies is to inform employees or customers. An example of an informative policy for a retail store is that it has a 90-day cash return policy on items bought at the store if you keep your receipt.
• Advisory An advisory policy is designed to ensure that all employees know the consequences of certain behavior and actions. An example of an advisory policy is an acceptable use policy (AUP). This policy may advise how the Internet can be used by employees and may disallow employees from visiting social networking or pornographic websites. The policy might state that employees found to be in violation of the policy could face disciplinary action, up to and including dismissal.

One specific type of policy in which a CASP+ should be interested is a company's security policy. The security policy is the document that dictates management's commitment to the use, operation, and security of information systems. You may think of this policy as only addressing logical security, but most security policies also look at physical controls. Physical security is an essential part of building a secure environment and a holistic security plan. The security policy specifies the role that security plays within a company. The security policy should be driven by business objectives. It must also meet all applicable laws and regulations. For example, you may want to monitor employees, but that doesn't mean placing CCTV in bathrooms or dressing rooms.

The security policy should be used as a basis to integrate security into all business functions and must be balanced in the sense that all organizations are looking for ways to implement adequate security without hindering productivity or violating laws. It's also important not to create an adversarial relationship with employees. Cost is an issue in that you cannot spend more on a security control than the value of the asset. Your job as a security professional is to play a key role in the implementation of security policies based on organizational requirements.

In your role as a security professional, look closely at the security policies that apply to you and your employees. As a CASP+, you should be able to compare and contrast security, privacy policies, and procedures based on organizational requirements. If you are tasked with reviewing security policies, consider how well policy maps to activity. Also, have you addressed all new technology?

As business goals and strategies change, IT security policies will need to adapt to meet those changes. But factors external to the business, such as technological innovation and changing social expectations, will also force that adaptation of policies. For example, as smartphones became inexpensive and commonplace, this emerging risk called for new policies to address it. Finally, it's important to remember that policies don't last forever. For instance, a policy from 1992 that addressed the use of and restrictions on modems would need to be revisited. Older technologies, such as modems, become obsolete as new technologies become affordable; therefore, business processes have to change. It's sometimes easy to see that low-level procedures need to be updated, but this kind of change applies to high-level policies as well. Policies are just one level of procedural control. Next, our discussion will focus on procedures.

Procedures are documents that fall under policies. Consider procedures as more detailed documents that are built from the parent policy. Procedures provide step-by-step instructions. For example, your company may migrate from a Cisco to a Check Point firewall. In this situation, the policy would not change in that the policy dictates what type of traffic can enter or exit the network. What would change, however, is the procedure, because the setup and configuration of a Cisco device and a Check Point device are different.

Procedures are detailed documents; they are tied to specific technologies and devices. Procedure documents require more frequent changes than policy documents to stay relevant to business processes and procedures. Procedures change when equipment changes, when software changes, when policy changes, and even when the sales season changes. Any change will require a review of the procedure. This review process should be built into change management.

We have seen procedures that look great on paper but that cannot be carried out in real life. When policies are developed, they must be mapped back to real-life activities and validated. Although problems may be caught during an audit, that's after the fact and may mean that poor practices have been ongoing for some time. Misalignment can mean that the procedure doesn't map or is outdated, or that employees have not had the proper training on the procedure you asked to see in operation.

Regions

Geographic segmentation occurs in marketing because not all products are sold everywhere. Regional preferences are considered. A global cybersecurity organization may choose to segment networks and applications based on where the workforce resides. This helps create layers of defense in depth as well as improve performance and make for less congestion. It can also reduce compliance requirements related to auditing.

Access Control Lists and Network Access Control

Firewalls can be hardware, software, or a combination of both. They are usually located at the demarcation line between trusted and untrusted network elements. Firewalls play a critical role in the separation of important assets. Firewall rules determine what type of traffic is inspected, what is allowed to pass, and what is blocked. The most basic way to configure firewall rules to create network access control (NAC) is by means of an access control list (ACL). A network access control list is a layer of security that controls traffic coming in or out of specific subnets.

There are two types of ACLs, filesystem and networking. Filesystem ACLs work as a filter with rules allowing or denying access to directories or files. This ACL gives the operating system directions about what level of privilege the user has. A networking ACL provides information to switches and routers through rules about who is allowed to interface with the network and what devices can do once inside the network. When NAC is used but an agent is not installed on a device, it is referred to as an agentless configuration. When using agentless NAC, the policy enforcement component is integrated into an authentication system like Microsoft Active Directory. The enforcement of policies is performed when the device logs on or off the network.

An ACL is used for packet filtering and for selecting the types of traffic to be analyzed, forwarded, or influenced in some way by the firewall or device. ACLs are a basic example of data flow enforcement. Simple firewalls, and more specifically ACL configuration, may block traffic based on the source and destination addresses. However, more advanced configurations may deny traffic based on interface, port, protocol, thresholds, and various other criteria. Before implementing ACLs, be sure to perform secure configuration and baselining of networking and security components. Rules placed in an ACL can be used for more than just allowing or blocking traffic. For example, rules may also log activity for later inspection or to record an alarm. Table 8.1 shows the basic rule set.

For the CASP+ exam, you will need to have a basic understanding of ACLs and their format. The command syntax format of a standard ACL in a Cisco IOS environment is as follows:

 access-list access-list-number {permit|deny}
 {host|source source-wildcard|any}

There are also extended ACLs. These rules have the ability to look more closely at the traffic and inspect for more items, such as the following:

• Protocol
• Port numbers
• Differentiated Services Code Point (DSCP) value
• Precedence value
• State of the synchronize sequence number (SYN) bit

The command syntax formats of extended IP, ICMP, TCP, and UDP ACLs are shown here:

IP Traffic

access-list access-list-number
 [dynamic dynamic-name [timeout minutes]]
 {deny|permit} protocol source source-wildcard
 destination destination-wildcard [precedence precedence]
 [tos tos] [log|log-input] [time-range time-range-name]

ICMP Traffic

access-list access-list-number
 [dynamic dynamic-name [timeout minutes]]
 { deny|permit } icmp source source-wildcard
 destination destination-wildcard
 [icmp-type [icmp-code] |icmp-message]
 [precedence precedence] [tos tos] [log|log-input]
 [time-range time-range-name]

TCP Traffic

access-list access-list-number
 [dynamic dynamic-name [timeout minutes]]
 { deny|permit } tcp source source-wildcard [operator [port]]
 destination destination-wildcard [operator [port]]
  [established] [precedence precedence] [tos tos]
 [log|log-input] [time-range time-range-name]

UDP Traffic

access-list access-list-number
 [dynamic dynamic-name [timeout minutes]]
 { deny|permit } udp source source-wildcard [operator [port]]
 destination destination-wildcard [operator [port]]
 [precedence precedence] [tos tos] [log|log-input]
 [time-range time-range-name]

Peer-to-Peer

As far as segmentation goes, peer-to-peer (P2P) networks are used for equality. In a P2P, all computers and devices share and exchange workloads, and there is no privilege and no administrator. P2P networks are perfect for file sharing because devices connected can receive and send files at the same time. A P2P network is hard to bring down and very scalable. Large files are often shared on this type of architecture; however, P2P can also be used for illegitimate activities such as piracy of copyrighted materials, which is punishable by law.

Air Gap

Air gap refers to systems that are not connected in any way to the Internet. An air-gapped system has no risk of being compromised from the outside but can still be vulnerable to an attack from the inside.

The 2010 Stuxnet attack is generally recognized as the first implementation of a worm as a cyber weapon. The worm was aimed at the Iranian nuclear program and copied itself to thumb drives to bypass air-gapped computers (physically separated systems without a network connection). Stuxnet took advantage of a number of techniques advanced for its time, including using a trusted digital certificate, searching for specific industrial control systems (ICSs) that were known to be used by the Iranian nuclear program, and specific programming to attack and damage centrifuges while providing false monitoring data to controllers to ensure that the damage would not be noticed until it was too late. For more information about Stuxnet, see this Wired article:

www.wired.com/2014/11/countdown-to-zero-day-stuxnet

Cloud

Cloud computing offers users the ability to increase capacity or add services as needed without investing in new datacenters, training new personnel, or maybe even licensing new software. This on-demand, or elastic, service can be added, upgraded, and provided at any time. With cloud computing, an organization is being forced to place their trust in the cloud provider. The cloud provider must develop sufficient controls to provide the same or a greater level of security than the organization would have if the cloud were not used. Defense in depth is built on the concept that every security control is vulnerable. Cloud computing places much of the control in someone else's hands. One big area that is handed over to the cloud provider is access. Authentication and authorization are real concerns. Because the information or service now resides in the cloud, there is a much greater opportunity for access by outsiders. Insiders might pose an additional risk.

Insiders, or those with access, have the means and opportunity to launch an attack and lack only a motive. Anyone considering using the cloud needs to look at who is managing their data and what types of controls are applied to individuals who may have logical or physical access. Chapter 9, “Secure Cloud and Virtualization,” is dedicated to everything cloud.

Remote Work

The huge exodus from the corporate office to the home office precipitated by the recent pandemic created massive cyber-related security challenges. The biggest challenge is the mindset of the end user. Many remote workers in a recent poll said they would ignore or circumvent corporate security policies if they got in the way of work, and that includes connecting to a coffee shop Wi-Fi without a VPN. Leaders still get complaints about restrictive policies, and many work-from-home employees feel that these measures waste their time.

Most organizations have had to rework their security policies to adapt to the increased remote work while IT teams still deal with ransomware, vulnerabilities, and data exfiltration. The only way past this is to foster a more cohesive and collaborative security culture in the organization and balance ease-of-use security measures with productive operations.

Mobile

Enterprise security is already a challenge, but with the advent of mobile devices it has gotten a whole lot harder. It is enough of a challenge to secure the environment within the four walls of the corporate building. Now wireless connectivity has pushed the network boundary well past the four walls. With mobile devices, employees expect simple and easy connectivity to both the enterprise and the world around them. Thankfully, there are several technologies and techniques available to integrate security controls to support mobile and small form factor devices.

• Application, Content, and Data Management To ensure that the mobile device's integrity stays within acceptable limits, the IT team will want to maintain oversight and management of the applications, content, and data on the device.
• Application Wrapping If enterprise users rely on a third-party application but the mobile device management team desires more control or wants to implement policy on that application, then one option is to use a process called application wrapping. Application wrapping involves adding a management layer around an app without making any changes to the app itself.
• Remote Assistance Access Maybe those managing the mobile devices need to assist users while they're away or can't let go of their phones. The team could use an application such as virtual network computing (VNC), available on several platforms, to access the user's mobile device remotely. Another option is screen mirroring or duplicating your phone's screen display on an authorized desktop, where an administrator can take control or transfer files as needed.
• Configuration Profiles and Payloads How can an IT department manage to keep track of every user's mobile device configuration? Now increase that challenge due to the variety of available mobile devices. What makes it possible for IT departments to manage this situation is the use of configuration profiles. By establishing and remotely installing a group of configuration settings and implementing standard configuration profiles, managing a large number of mobile devices is effectively like managing a single device.

  A subset of configuration settings within a configuration profile is called a payload. You might have a “mail” payload that configures the users’ devices for all settings related to email, such as server, port, and address. Security restrictions can also be a part of the configuration profile payload.

• Application Permissions For each application, your mobile operating system will allow the user effectively to control what that application can do, access, or execute on the user's behalf. Application permissions are accessible within the configuration settings of the mobile OS. Typical objects that an application may seek access to include the camera, microphone, phone application, and address book, among others. Obviously, access to any of these objects should be granted only if the application is deemed trusted and the decision to bypass an added user action is warranted.
• VPN How mobile users connect to the enterprise environment impacts the risk that they place on the perimeter and network. If an organization allows users to connect over Wi-Fi at a coffee shop, this is unacceptable, and it is all but guaranteed to cause the CASP+ headaches in the near future. Instead, establishing and using a virtual private network (VPN) is a far safer way for users to connect to the internal, trusted network. The caveat regarding mobile devices is how much faster they consume resources. The trick is to find a VPN solution with some intelligence to it and train it (and users) to establish a VPN only when it is truly needed.
• Over-the-Air Updates

  In addition to managing configuration settings remotely, the team responsible for installing updates can do this remotely. This delivery, known as over-the-air (OTA) updates, avoids waiting for a user to come in or dock their device for the update. Software or the device's firmware can be updated in this way.

• Remote Wiping Another process that a CASP+ might need to do without relying on the user being “in the building” is remotely wiping the device. For example, as part of the process of a termination, also known as offboarding, an employee's device could be remotely wiped, mitigating the risk of unauthorized device usage or abuse.

In the context of mobile devices, here are some concerns of which the CASP+ should be aware:

• SCEP The Simple Certificate Enrollment Protocol (SCEP) is a popular method of certificate enrollment, which is the process of a user or device requesting and receiving a digital certificate. SCEP is highly scalable and widely implemented. However, its original designers went on hiatus for several years, and SCEP received little attention to address concerns about its cryptographic strength. According to CERT vulnerability note VU#971035, the authentication methods for SCEP to validate certificate requests are ill suited for any environment other than a closed one. So, any mobility device management (MDM) involving BYOD opens itself up to risks of unauthorized certificate requests.
• Unsigned Apps/System Apps The concept of code signing is designed to ensure that an application developed by a third party has not been altered or corrupted since it was signed as valid. Of course, this matters when the original developer is assumed to be a trusted source. However, what about apps that are not signed? If a user is able to download and install unsigned applications and unsigned system apps, the mobile device is no longer assured to be trustworthy.
• Sideloading Normally, when loading or installing an application, a user would use the device's application-distribution channel. For most devices, this would mean using Google Play or the Apple App Store. But if a user seeks an alternate, back-channel method to load an application that may not be accessible otherwise, that method is called sideloading. Naturally, the security concern for a CASP+ is why such an application requires sideloading and is not available through the normally vetted channel. Sideloading, or loading applications outside a controlled channel, means that the established process of inspecting an application for malicious code is likely being bypassed.
• Context-Aware Management Security restrictions on mobile devices can be placed in keeping with a user's behavior or their local location. Just as straightforward as the position of a mobile device, time-based restrictions can be placed on a user's access and/or authorization. If the user is attempting to access a sensitive share directory after restricted hours, employing time-based restrictions means limiting access until the permissible time period.

Outsourcing and Contracting

Organizations should go through a source strategy to determine what tasks should be completed by employees, contractors, or third parties. Outsourcing is one common approach. Outsourcing can be defined as an arrangement in which one company provides services for another company that may or may not have been provided in house. Outsourcing has become a much bigger issue in the emerging global economy, and it is something security professionals need to review closely. There will always be concerns when ensuring that third-party providers have the requisite levels of information security.

Outsourcing has become much more common in the IT field throughout the course of the last decade or so. In some cases, the entire information management function of a company is outsourced, including planning and business analysis as well as the installation, management, and servicing of the network and workstations. The following services are commonly outsourced:

• Application/web hosting
• Check processing
• Computer help desk
• Credit card processing
• Data entry
• Payroll and check processing

Crucial to the outsourcing decision is determining whether a task is part of the organization's core competency or proficiency that defines the organization. Security should play a large role in making the decision to outsource because some tasks take on a much greater risk if performed by someone outside the organization.

During any technical deployment, IT security professionals should have a chance to review outsourcing, insourcing, managed services, and security controls and practices of a partnered company. If irregularities are found, they should be reported to management so that expenses and concerns can be properly identified. Before combining or separating systems, a CASP+ should ask these basic questions:

• Who has access to resources?
• What types of access will be provided?
• How will users request access?
• Who will grant users access?
• What type of access logs will be used, what will be recorded, and when will it be reviewed?
• What procedures will be taken for inappropriate use of resources?
• How will security incidents be reported and recorded, and who will handle them?
• Who will be responsible for investigating suspicious activity?

The CASP+ should also be concerned with developing a course of action that is based on informed business decisions with the goal to provide for long-term security. Here are some of the technical deployment models with which a CASP+ should be familiar:

• Outsourcing Outsourcing can be defined as obtaining a resource or item from an outside provider. As an example, consider Dell. Dell might be based in Round Rock, Texas, yet its distribution hub is in Memphis, Tennessee. Further, Dell assembles PCs in Malaysia and has customer support in India. Many parts come from the far corners of the globe.
• Insourcing Insourcing can be defined as using a company's own personnel to build an item or resource or to perform an activity.
• Managed Services Some organizations use managed services. One common approach is to use managed cloud services. Managed cloud hosting delivers services over long periods of time, such as months or even years. The secure use of cloud computing is contingent upon your organization reviewing the cloud provider's policies. In such situations you may be purchasing services in time slices or as a service on a virtual server. This means that data aggregation and data isolation can occur.

  The security concern with data aggregation is that your data may be combined with others or may even be reused. For example, some nonprofit donor databases offer their databases for free yet combine your donor database with others and resell it. Data isolation should be used to address how your data is stored. Is your data stored on an isolated hard drive, or does it share virtual space with many other companies?

  Finally, it is important to discuss the issues of data ownership and data sovereignty with the managed service provider. Make sure that your data remains solely yours while in the custody of the managed service provider. As the volume of data grows, also ensure that the managed service provider maintains the same level of assurance.

Resource provisioning and deprovisioning should be examined before a technical deployment in order to understand how resources are handled. For example, is the hard drive holding your data destroyed, or is it simply reused for another client? How about users? Are their records destroyed and accounts suspended after they are terminated?

In addition to users, resource provisioning and deprovisioning can also include the following:

• Servers
• Virtual devices
• Applications
• Data remnants

When outsourcing is to occur, issues related to IT will be an area of real concern. As in the case of the outsourced MRI diagnosis, sensitive and personal data is often involved with outsourced services. This creates regulatory concerns, most commonly involving the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley (SOX) Act. Many IT departments have mission statements in which they publicly identify the level of service they agree to provide to their customers. This may be uptime for network services, availability of email, response to help-desk calls, or even server uptime. When you are sharing resources with an outsourced partner, you may not have a good idea of their security practices and techniques. Outsourcing partners face the same risks, threats, and vulnerabilities as the client; the only difference is they might not be as apparent. One approach that companies typically use when dealing with outsourcing, insourcing, managed services, or partnerships is the use of service level agreements (SLAs).

The SLA is a contract that describes the minimum performance criteria a provider promises to meet while delivering a service. The SLA will also define remedial action and any penalties that will take effect if the performance or service falls below the promised standard. You may also consider an operating level agreement (OLA), which is formed between operations and application groups. These are just a few of the items about which a CASP+ should be knowledgeable; however, the CASP+ is required to know only the basics. During these situations, legal and HR will play a big role and should be consulted regarding laws related to IT security.

SLAs define performance targets for hardware and software. There are many types of SLAs, among them the following:

• Help Desk and Caller Services The help desk is a commonly outsourced service. One way an outsourcing partner may measure the service being provided is by tracking the abandon rate (AR). The AR is simply the number of callers who hang up while waiting for a service representative to answer. Most of us have experienced this when we hear something like, “Your call is extremely important to us; your hold time will be 1 hour and 46 minutes.”

  Another help-desk measurement is the first call resolution (FCR). FCR is the number of positive solutions that are made on the first call to the help desk before making any additional calls or requiring the user to call back to seek additional help.

  Finally, there is the time-to-service factor (TSF). The TSF is the percentage of help desk or response calls answered within a given time. So, if Kenneth calls in at 8 a.m., is the problem fixed by 9:30 a.m.?

• Uptime and Availability Agreements Another common SLA measurement is an uptime agreement (UA). UAs specify a required amount of uptime for a given service. As an example, a web hosting provider may guarantee 99.999 percent uptime. UAs are commonly found in the area of network services, datacenters, and cloud computing.

Wireless/Radio Frequency Networks

The Institute of Electrical and Electronics Engineers Standards Association (IEEE) is an organization that develops standards for wireless communication gathering information from subject-matter experts (SMEs). IEEE is not an institution formed by a specific government but is a community of recognized leaders who follow the principle of “one country, one vote.”

The IEEE 802.11 is a set of specifications on implementing wireless over several frequencies. As technology has evolved, so has the need for more revisions. If you were to go shopping for wireless equipment, you would see the array of choices you have based on those revisions of 802.11. Most consumer and enterprise wireless devices conform to 802.11a, 802.11b/g/n/ac/ax standards. These standards are better known as Wi-Fi. Bluetooth and wireless personal area networks (WPANs) are specialized wireless technologies.

Information is sent from one component called a transmitter and picked up by another called a receiver. The transmitter sends electrical signals through an antenna to create waves that spread outward. The receiver with another antenna in the path of those waves picks up the signal and amplifies it so it can be processed. A wireless router is simply a router that uses radio waves instead of cables. It contains a low-power radio transmitter and receiver, with a range of about 90 meters or 300 feet, depending on what your walls are made of. The router can send and receive Internet data to any computer in your environment that is also equipped with wireless access. Each computer on the wireless network has to have a transmitter and receiver in it as well.

There are advantages and disadvantages to communicating wirelessly. Networks are pretty easy to set up and rather inexpensive, with several choices of frequencies to communicate over. Disadvantages can include keeping this communication secure, the range of the wireless devices, reliability, and, of course, speed. The transmitter and the receiver need to be on the same frequency, and each 802.11 standard has its own set of pros and cons. The latest Wi-Fi technology is called 802.11ax or Wi-Fi 6/6E. 802.11ax is anywhere from four to ten times faster than existing Wi-Fi with wider channels available, and offers less congestion and improved battery life on mobile devices, since data is transmitted faster.

As with any technology, as it evolves, you will start making decisions on what scenario is best for you and your organization. There may be trade-offs on frequency used, speed, or the range of a device from a Wi-Fi hotspot. A hotspot is merely an area with an accessible network.

When building a typical wireless small office or home office (SOHO) environment, after you identify what technology and design is best for your situation, you configure the settings of your router using a web interface. You can select the name of the network you want to use, known as the service set identifier (SSID). You can choose the channel. By default, most routers use channel 6 or 11. You will also choose security options, such as setting up your own username and password as well as encryption.

As a best practice, when you configure security settings on your router, choose WPA3, the latest and recommended standard. Similar to WPA2, WPA3 includes both a Personal and an Enterprise version. WPA3 maintains equivalent cryptographic strength through the required use of 192-bit AES for the Enterprise version, and optional 192-bit AES for the Personal version. WPA3 helps prevent offline password attacks by using Simultaneous Authentication of Equals (SAE).

Another best practice is configuring MAC filtering on your router. This doesn't use a password to authenticate. It uses the MAC address of the device itself. Each device that connects to a router has its own MAC address. You can specify which MAC addresses are allowed on your network as well as set limitations on how many devices can join your network. If you set up your router to use MAC filtering, one drawback is every time you need to add a device, you have to grant network permission. You sacrifice convenience for better protection. After reading this book, the more advanced user will know how to capture packets, examine the data, and possibly identify the MAC address of a device in the list of permitted devices. MAC filtering with WPA3 encryption is the best way to protect your data.

Peering

Peering on a network is a technique that allows one network to connect directly to another for exchange of information. Benefits of peering include lower cost, greater control, improved performance, and redundancy. There are several types of peering including the following:

• Public: Using a single port on an Ethernet switch, this has less capacity than a private peer but can connect many networks.
• Private: This connects two networks with layer 3 hardware with a point-to-point cable. Private peering makes up most traffic on the Internet.
• Partial: Network traffic is regional.
• Paid: One party pays the other to participate in the peering network.

Cloud to On-Premises

Cloud computing does away with the typical network boundary. This type of deperimeterization and the constantly changing network boundary create a huge impact, as historically this demarcation line was at the edge of the physical network, a point at which the firewall is typically found.

The concept of cloud computing represents a shift in thought in that end users need not know the details of a specific technology. The service is fully managed by the provider. Users can consume the service at a rate that is set by their particular needs so on-demand service can be provided at any time.

Data Sensitivity Levels

Data classification is the process of organizing data into data sensitivity levels based on information characteristics such as degree of sensitivity, risk, and compliance regulations. To merge various organizations' data, sensitive data must be inventoried and classified.

For CASP+ study, data sensitivity labels/types are most often categorized into public, internal-only, confidential, and restricted/highly confidential. Other level name variations you may encounter include Restricted, Unrestricted, and Consumer Protected.

NIST recommends using three categories based on the impact of data disclosure:

• Low impact: Limited adverse effect such as a job posting
• Moderate impact: Serious adverse effect such as financial budgets
• High impact: Severe adverse effect such as account numbers or PHI

For more information about best data classification practices, NIST has published a guide for mapping levels of data to security categories: nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-60v1r1.pdf.

Mergers and Acquisitions

Companies are constantly looking for advantages in business. For some companies, mergers and acquisitions offer a path to increased business opportunities. For example, the merger of Oracle and Cerner was a $28.3 billion ($95.00 per share) merger. These two companies are combining cloud and on-premises datacenters, medical records, distribution, subscriber networks, customer service, and all of the other pieces of their organizations into a single entity. Even though the two companies operate in somewhat similar markets, the amount of work involved with such mergers is staggering.

Businesses that have similar cultures and overlapping target audiences but individually reach those audiences differently may work better as a merged entity. To lean on a business buzzword, the merger creates a synergy that potentially benefits both companies. Take the example when Amazon, the online shopping giant, merged with Whole Foods, the brick-and-mortar chain of organic grocery stores. Between Amazon's reach and delivery and Whole Food's mass appeal to those wanting to buy organic foods, the merger has been an overwhelming success for both parties. While the merger initially stoked fears that grocery prices would rise dramatically, a report one year later noted that actual pricing experienced “downward pressure” and had dropped a few percentage points.

From the standpoint of risk, there are many things that can go wrong. Businesses typically look for synergy, but some businesses just don't fit together. For example, in 2008 Blockbuster moved aggressively to merge with Circuit City. Blockbuster saw the merger as a way to grow, but many outside analysts questioned how two companies with totally different business models, which were both failing, could be combined into one winning business. Because of these questions, the merger never occurred. Within months, Circuit City filed for Chapter 11 protection (bankruptcy), whereas Blockbuster failed and closed outright. Circuit City re-emerged from the ashes some 10 years after the failed merger. In early 2018, Circuit City relaunched online after having been acquired by TigerDirect.

Often, the different businesses cannot coexist as one entity. In other cases, companies enter the merger/acquisition phase without an adequate plan of action. Finally, people don't like change. Once a company's culture is established and people become set in their ways, attitudes are hard to change. Mergers are all about change, and that goes against the grain of what employees expect.

For the security professional, it's common to be asked to quickly establish connectivity with the proposed business partner. Although there is a need for connectivity, security should remain a driving concern. You need to understand the proposed merger partner's security policies and what controls they are enforcing. The last thing that you would want is to allow the ability for an attacker to enter your network through the merging company's network.

Security concerns will always exist when it comes to merging diverse industries. The previous example illustrates just a few of the problems that companies face when they integrate and become one single entity. There will always be security concerns when integrating diverse industries. A CASP+ should also be concerned with items such as the following:

• Rules What is or is not allowed by each individual company. Rules affect all aspects of how a business operates, ranging from the required visibility of an ID badge to how easily groups may share information.
• Policies These are high-level documents that outline the security goals and objectives of the company.
• Regulations Diverse entities may very well be governed by different regulatory entities or regulations such as PCI DSS or HIPAA. Other regulatory factors include export controls, such as use of encryption software. Companies dealing with controlled data types must meet the regulatory-imposed legal requirements, often related to storing, safeguarding, and reporting on that data.
• Geography It is all about location. A company that is located in Paris, France, will be operating on different standards than one that is based in Denver, Colorado.
• Demerger/Divestiture Anytime businesses break apart, you must confront many of the same types of issues. As an example, each organization must now have its own, separate IT security group, and it must implement its own firewalls and other defenses.

Whether the situation involves an acquisition or a company breaks into two or more entities, the leadership must revisit the data and its classification. Data ownership is affected by the change in company ownership. Similarly, a change in company structure will likely affect how data is classified or categorized, so a data reclassification will be required as well.

The CASP+ should understand technical deployment models and design considerations such as outsourcing, insourcing, partnerships, mergers, acquisitions, and demergers. The CASP+ and others responsible for the IT security of an organization should play a role during mergers and acquisitions. Generally, a merger can be described as the combining of two companies of equal size, whereas an acquisition is where a larger company acquires a smaller one. In both situations, it's important that proper security control be maintained throughout the process. This can be done through the application of due care and due diligence.

Somewhat akin to outsourcing in terms of the security risks that they present are partnerships. A partnership can be best defined as a type of business model in which two or more entities share potential profit and risk with each other, whereas with outsourcing, the customer assigns the work to the contractor. Once the project or service has been provided, the customer pays the contractor, and the relationship ends.

Partnerships are different; they are much more like a marriage. With marriage, for example, you might want to execute a prenuptial agreement; likewise, in partnerships, you need to be prepared should things go wrong and the partnership ends. There are a number of potential risks when companies decide to acquire, merge, or form partnerships:

• Loss of Competency Once a new entity begins providing a service, the other may lose the in-house ability to provide the same service. Should the partnership end, the company is forced to deal with the fact that this service can no longer be supported. Even worse, the partner may now become a competitor.

• Broken Agreements Partnerships don't always work out. In situations where things go wrong, there are costs associated with switching services back in house.
• Service Deterioration Although the partner may promise great things, can they actually deliver? Over time, do they deliver the same level of service, or does it deteriorate? Metrics must be in place to monitor overall quality. Depending on the task, the level of complexity, or even issues such as a growing customer base, the partner may not be able to deliver the product or service promised.
• Poor Cultural Fit Some partners may be in other regions of the country or another part of the world. Cultural differences can play a big part in the success of a partnership. Once a partnership is formed, it may be discovered that incentives to provide services and products don't align or that top-level management of the two companies differs.
• Hidden Costs Sometimes all of the costs of a partnership are not initially seen. Costs can escalate due to complexity, inexperience, and other problems. Partnerships that are focused on tangible production are typically less vulnerable to these interruptions than those that deal in intangible services.

This doesn't mean that partnerships are all bad. Your company may be in a situation where in-house technical expertise has been lacking or hard to acquire. Maybe you need someone to build a specific web application or code firmware for a new device. Just consider how strategic multinational partnerships are sometimes motivated by protectionist laws in other countries or marketing know-how or expertise in another country or region. In these situations, the business partner may have the expertise and skills to provide this service.

From an IT security perspective, a major risk of such partnerships is knowledge and technology transfer, both intentional/transparent and unintentional/covert. You should always keep in mind what resources are being provided to business partners, whether they are needed, what controls are being used, and what audit controls are in place.

Cross-Domain

Cross domains are integrated hardware and software solutions that make it secure to access data across multiple networks. Cross-domain solutions are extremely helpful when there are different levels of security classifications or domains. A cross-domain policy is the set of rules that grants permission to disparate data.

Federation

Federation allows you to link your digital identity to multiple sites and use those credentials to log into multiple accounts and systems that are controlled by different entities. Federation is a collection of domains that have established trust. The level of trust may vary but typically includes authentication and almost always includes authorization. In early 2022, the United States White House announced the Office of Management and Budget (OMG) released the federal zero-trust strategy in support of “Improving the Nation's Cybersecurity” calling for strict monitoring controls, identification of priorities, and baseline policies for limiting and verifying federation across network services regardless of where they are located. For more information, you can read about zero-trust architecture (ZTA) here: zerotrust.cyber.gov/federal-zero-trust-strategy.

A typical federation might include a number of organizations that have established trust for shared access to a set of resources. Federation with Azure AD or O365 enables users to authenticate using on-premises credentials and access all resources in the cloud. As a result, it becomes important to have a highly available AD FS infrastructure to ensure access to resources both on-premises and in the cloud.

Directory Services

Directory services are used in networks to provide information about systems, users, and other information about an organization. Directory services like the Lightweight Directory Access Protocol (LDAP) are often deployed as part of an identity management infrastructure. They are frequently used to make available an organizational directory for email. LDAP uses the same object data format as X.500, where each object is made up of attributes that are indexed and referenced by a distinguished name. Each object has a unique name designed to fit into a global namespace that helps determine the relationship of the object and allows for the object to be referenced uniquely. Each entry would also have additional information including a distinguished name, an email address, phone numbers, and office location.

Security issues with LDAP include the fact that no data encryption method was available in LDAP versions 1 and 2. Security is negotiated during the connection phase when the client and server begin communications. Options include no authentication or basic authentication. This is the same mechanism that is used in other protocols, such as HTTP. The LDAP v3 (RFC 2251) is designed to address some of the limitations of previous versions of LDAP in the areas of internationalization, authentication, referral, and deployment. It allows new features to be added to the protocol without also requiring changes to the protocol using extensions and controls.

Since directories contain significant amounts of organizational data and may be used to support a range of services, including directory-based authentication, they must be well protected. The same set of needs often means that directory servers need to be publicly exposed to provide services to systems or business partners who need to access the directory information. In those cases, additional security, tighter access controls, or even an entirely separate public directory service may be needed.

Regardless of what protocols and standards are being used to authenticate, there is a real need for strong cryptographic controls. This is the reason for the creation of secure directory services. This solution makes use of Secure Sockets Layer (SSL). LDAP over SSL (LDAPS) provides for secure communications between the LDAP servers and client systems by means of encrypted SSL connections. To use this service, SSL has to be present on both the client and server and be able to be configured to make use of certificates. LDAP supports two methods for the encryption of communications using SSL/TLS: traditional LDAPS and STARTTLS. LDAPS communication commonly occurs over a special port 636. However, STARTTLS begins as a plaintext connection over the standard LDAP port (389), and that connection is then upgraded to SSL/TLS.

Autoscaling

One of the distinct advantages in cloud computing is the ability to dynamically scale up or down quickly and automatically to the number of resources needed based on traffic or utilization. Benefits of autoscaling include better fault tolerance, availability, and cost management.

Security Orchestration, Automation, and Response

SOAR, or security orchestration, automation, and response, tools are devised to automate security responses, allow centralized control of security settings and controls, and provide robust incident response capabilities. Managing multiple security technologies can be challenging. Using information from SOAR platforms and systems can help design your organization's security posture. Managing security operations and remediating issues you have identified is also an important part of security work that SOAR platforms attempt to solve. As a mitigation and recovery tool, SOAR platforms allow you to quickly assess the attack surface of an organization, the state of systems, and where issues may exist. They also allow automation of remediation and restoration workflows.

Bootstrapping

Bootstrapping can mean several things in cyber, including the program that initializes during the operating system startup. Bootstrapping in infrastructure is the sequence of events that need to happen when creating a virtual machine. The term came from the expression “pulling yourself up by your own bootstraps.”

In security or data science, it means extrapolating findings for a larger group based on results from a smaller collection of data. Bootstrapping can be used in machine learning by inferring results from a statistical average. Bootstrapping is a technique that data scientists can use to improve the quality of a learning model that some SOAR tools could use.

Secure Design Patterns/Types of Web Technologies

Security by design means that the security measures are built in and that security code reviews must be carried out to uncover potential security problems during the early stages of the development process. The longer the delay in this process, the greater the cost to fix the problem. Security by default means that security is set to a secure or restrictive setting by default. As an example, OpenBSD is installed at the most secure setting; that is, security by default. See www.openbsd.org/security.html for more information. Security by deployment means that security is added in when the product or application is deployed. Research has shown that every bug removed during a review saves nine hours in testing, debugging, and fixing of the code. As a result, it is much cheaper to add in early on than later. Reviews make the application more robust and more resistant to malicious attackers. A security code review helps new programmers identify common security problems and best practices.

Another issue is secure functionality. Users constantly ask for software that has greater functionality. Macros are an example of this. A macro is just a set of instructions designed to make some tasks easier. This same functionality is used, however, by the macro virus. The macro virus takes advantage of the power offered by word processors, spreadsheets, or other applications. This exploitation is inherent in the product, and all users are susceptible to it unless they choose to disable all macros and do without the functionality. Feature requests drive software development and hinder security because complexity is the enemy of security.

An application security framework is a great framework for system development that can make the development process easier to manage for the security manager. It is designed to build in security controls as needed. There are many different models and approaches. Some have more steps than others, yet the overall goal is the same: to control the process and add security to build defense in depth. One industry-accepted approach is a standardized System Development Life Cycle (SDLC) process. NIST defines SDLC in NIST SP 800-34 as “The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.”

Some development use cases and programming languages used are as follows:

• Front-end web development: JavaScript
• Back-end web development: JavaScript, Java, Python, PHP, Ruby
• Mobile development: Swift, Java, C#
• Game development: C++, C#
• Desktop applications: Java, C++, Python
• Systems programming: C, Rust

Storage Design Patterns

To become more efficient, reduce complexity, and increase performance working with large forms of information, using plans and design patterns for repeatability becomes a way to simplify big data applications. Storage design patterns have various components including data sources as well as ingestion, storage, and access layers.

The ingestion layer takes information directly from the source itself and with that comes a great deal of noise, as well as important data. Filtering the noise from the important data can be difficult when you have multiple sources, data compression, and validation. After the separation, architects have to decide which pattern to use. Some of these patterns include the following:

• Multidestination: Great for multiple data streams
• Protocol converter: Best for data coming in from different types of systems
• Real-time streaming: Used for continuous processing of unstructured data

The data storage layer is important to convert any data into a format that can be readily analyzed. Once the data has been normalized, then data access patterns focus on two primary ways to consume the data, through a developer API or an end-to-end user API. There are many ways to structure data at each layer and use those to efficiently pattern the way data will be consumed in an enterprise.

Container APIs

You may not need an entire virtual system to complete a specific task; a container can be used. Containers allow for the isolation of applications running on a server. Containers offer a lower-cost alternative to using virtualization to run isolated applications on a single host. When a container is used, the OS kernel provides process isolation and performs resource management. When exchanging information between the container and other resources, one of the best ways to do that is through an application programming interface (API). A container API allows for building complex functionality between containers, systems, and other services.

Secure Coding Standards

A standard library for a programming language is the library that is made available in every implementation of that language. Depending on the constructs made available by the host language, a standard library may include items such as subroutines, macro definitions, global variables, and templates. The C++ Standard Library can be divided into the following categories:

• A standard template library
• Inputs and outputs
• Standard C headers

The C++ Standard Library provides several generic containers, functions to use and manipulate these containers, function objects, generic strings and streams (including interactive and file I/O), support for some language features, and functions for everyday tasks. The problem is that some C standard library functions can be used inappropriately or in ways that may cause security problems when programmers don't follow industry-accepted approaches to developing robust, secure applications.

Code quality is the term relating to the utility and longevity of a particular piece of code. Code that will be useful for a specific, short-lived function is deemed “low code quality.” A code module that will be useful for several years to come, possibly appropriate for multiple applications, possesses “high code quality.”

API Management

Application programming interfaces (APIs) are the connection between a consumer and a provider. This could be a client and server or an application and operating system. An API defines how the client should ask for information from the server and how the server will respond. This definition means that programs written in any language can implement an API and make requests.

APIs are useful for building interfaces, but they can also be a point of vulnerability if they are not properly secured and managed. API security relies on authentication, authorization, proper data scoping to ensure that too much data isn't exposed, and appropriate monitoring and logging to remain secure. There are four major types of APIs that need to be managed:

• Open or Public API: Publicly available to developers, focuses on external users accessing a service or data
• Internal or Private API: Hidden from external users and used only by internal systems
• Partner API: Shared with business partners with a specific workflow to get access
• Composite API: Built with API tooling, allowing access to multiple endpoints in one call

Managing APIs is the process and procedure of creating, publishing, documenting, and validating all the APIs used within an organization to ensure security. Benefits of implementing API management also include the ability to change quickly and automation.

Middleware

Middleware is the software that works between an application and the operating system and is the enabler for communication, authentication, APIs, and data management. Some common examples are database, application server, web, and transaction processing. Each of these applications needs to be able to communicate with the others, and middleware will perform the communication functions depending on what service is being used and what information needs to be sent. Middleware can use messaging frameworks like SOAP, REST, and JSON to provide messaging services for different applications.

Sandboxing/Development Environment

Application sandboxing is the process of writing files to a sandbox or temporary storage area instead of their normal location. Sandboxing is used to limit the ability of code to execute malicious actions on a user's computer. If you launch an application in the sandbox, it won't be able to edit the Registry or even make changes to other files on the user's hard drive.

One application area where sandboxing is used is with mobile code. Mobile code is software that will be downloaded from a remote system and run on the computer performing the download. The security issue with mobile code is that it is executed locally. Many times, the user might not even know that the code is executing. Java is mobile code, and it operates within a sandbox environment to provide additional security. Data can be processed as either client-side processing or server-side processing. Server-side processing is where the code is processed on the server, whereas with client-side processing the code will run on the client. PHP is an example of a server-side processing language, whereas JavaScript is processed on the client side and can be executed by the browser.

Malware is software. Malware sandboxing is a technique used to isolate malicious code so that it can run in an isolated environment. You can think of a malware sandbox as a stand-alone environment that lets you view or execute the program safely while keeping it contained. Microsoft has several good articles on how to build a Windows Sandbox here: docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.

When using a sandbox, you should not expect the malware creators to make analysis an easy process. As an example, malware creators build in checks to try to prevent their malware from running in a sandbox environment. The malware may look at the MAC address to try to determine if the NIC is identified as a virtual one, or it may not run if it does not have an active network connection. In such cases you may need additional tools such as FakeNet-NG, which simulates a network connection to fool the malware so that the analyst can observe the malware's network activity from within a sandboxed environment.

Validating Third-Party Libraries

An application issue that plagues a surprisingly large number of companies is the use of third-party libraries. The attraction of using something already created is clear: money and time saved! However, there is a big security risk as well.

When developers at a company can find code that fits their needs and is already working, then why would they reinvent the wheel? They can plug in a third-party library to accomplish the required tasks. The problem is that the third-party library is an unknown, untested product when compared with the policies and safe coding practices of the in-house developers.

Code reuse is, as the name implies, the use of a single piece of code several times, whether it's within an application or reused as an application evolves from one version to the next.

Similar to using a third-party library, reusing code saves time and money. The developer doesn't have to rewrite the same block of code (and possibly introduce errors) and instead can direct the application to a single block of code to be used repeatedly when needed.

When practiced with security in mind, code reuse is certainly a positive practice—for example, when a subroutine is required for several aspects of an application. The subroutine was developed securely, so there is little or no added risk. However, if one application's code, however modular it is, were repurposed for the next version or for another application, then this practice might skip the evaluation steps required and introduce new risks.

Defined DevOps Pipeline

Software today is created much faster than in the past, so it becomes important to software companies to remain competitive and create a defined DevOps pipeline to keep track of customers’ demands and requirements. A DevOps pipeline also helps an organization stay organized and focused.

This DevOps pipeline is a set of tools and automated processes used to write, compile, and deploy code. If effective, this enables a software company to rapidly test new code on an ongoing automated basis. Moving from a manual process to an automated one results in fewer errors and pushes out higher-quality code that is signed and distributed to customers. Code signing is the process of digitally signing a piece of software guaranteeing the integrity of the code from the time of signature. If the software has been tampered with, the signature will appear untrusted and invalid.

Application Security Testing and Application Vetting Processes

Application testing is an important part of IT security. Applications are not like any other item. Should you purchase a car that has a defective accelerator or tire, the vendor will typically repair or replace the items. Software, however, is very different. If software is defective, the vendor may no longer support it, may offer a patch, or may even offer an upgrade for a fee. These are just a few of the reasons why testing applications for security issues is so important.

Application security testing is the process of using software, hardware, and procedural methods to prevent security flaws in applications and protect them from exploit. As a CASP+, you are not expected to be an expert programmer or understand the inner workings of a Python program. What the CASP+ must understand, however, is the importance of application security, how to work with programmers during the development of code, and the role of testing code for proper security controls. As a CASP+, you need to understand various testing methodologies. For example, when the code is available, a full code review may be possible. In situations where you do not have access to the code, you may choose no knowledge application assessment techniques.

Regardless of the type of software test performed, your task is to help ensure that adequate controls are developed and implemented and that testing an application meets an organization's security requirements. What security controls are used in part depends on the type of project. A small in-house project will not have the funding of a major product release. The time and money spent on testing commercial applications is typically much greater than for IT projects. IT projects result in software tools and applications that a company uses internally, that a consultant installs in a client's environment, or that the company installs on an internal or external website. Commercial software applications are developed by software manufacturers for sale to external customers. These may be further classified into stand-alone applications (installed on the user's machine), client-server applications, and web applications, all with their own systems development life cycle (SDLC) considerations.

A code analyzer is a Java application compatible with C, C++, Java, assembly, HTML, and user-defined software source metrics. Code analyzers calculate metrics across multiple source trees as one project. Code analyzers have a nice tree view of the project and offer flexible reporting capabilities.

Analyzing code can be done one of several ways. The first method, using a fuzzer, involves intentionally injecting a variety of input into the code in order to produce an unexpected or unwanted result, such as a crash. The input will come fast and furious, in large volumes of data (dubbed “fuzz”), with the goal that the application will reveal its weaknesses.

Another approach is to use static application security testing (SAST). With this method, the software is neither run nor executed; rather, it is reviewed statically. As you can imagine, if an application has millions of lines of code, a static code review is impossible. Therefore, you must rely on static code analysis tools. The code to be reviewed is fed input into the static code analysis tool.

There is also dynamic application security testing (DAST). The difference between dynamic and static code analysis is that while a static review does not execute the application, during dynamic code analysis, the application is run, and you can observe how the code behaves.

Finally, when you combine SAST and DAST, you end up with interactive application security testing (IAST). According to the research firm Gartner, “Next generation modern web and mobile applications require a combination of SAST and DAST.” With IAST, an agent performs all the analysis in real time from inside the application. It can be run during development, integration, or production. The agent has access to all the code, runtime control, configuration, and libraries. With all the access to all the things at the same time, IAST tools can cover more code with more security rules and give better results.

Integration Enablers

To complement the enterprise integration methods and systems mentioned in the preceding sections, there are other services that serve to mend or unite dissimilar parts of the enterprise. The following are additional integration enablers:

• Directory Services Directory services are the means by which network services are identified and mapped. Directory services perform services similar to those of a phone book, as they correlate addresses to names.
• Enterprise Service Bus The enterprise service bus (ESB) is a high-level concept to describe the middleware between two unlike services. It is used in service-oriented architectures as a technique of moving messages between services. You can describe an ESB as middleware because it acts as a service broker. ESB is a framework in that different ESB products have different capabilities. What they share in common is an abstraction layer. Not all ESBs offer encryption. It depends on the particular vendor's product. ESB is fast becoming the backbone of many service-oriented enterprises’ services.
• Service-Oriented Architecture Service-oriented architecture (SOA) specifies the overall multilayered and multitier distributed infrastructure for supporting services such as ESB. Although using web services allows you to achieve interoperability across applications built on different platforms using different languages, applying service-oriented concepts and principles when building applications based on using web services can help you create robust, standards-based, interoperable SOA solutions.
• Domain Name System Domain Name System (DNS) is the service that lets people find what they're looking for on the Internet. DNS operates behind every address translation, working to resolve fully qualified domain names (FQDNs) and human-readable addressing into numeric IP addresses. DNS serves a critical function for people. If DNS as a service were to cease, the Internet would continue, but users would need to know the IP address of every site they wanted to visit. DNS is a request-response protocol. When a DNS server sends a response for a request, the reply message contains the transaction ID and questions from the original request as well as any answers that it was able to find.

Operational Activities

You should understand the threats and vulnerabilities associated with computer operations and know how to implement security controls for critical activities through the operational period of the product or software. Some key operational activities are as follows:

• Vulnerability assessment
• Security policy management
• Security audits and reviews
• Security impact analysis, privacy impact analysis, configuration management, and patch management
• Security awareness and training; guidance documents

Disposal and Reuse

Some products can have a long, useful life. For example, Windows XP was released in 2005 and was updated and maintained until 2014. Regardless of the product, at some point you will have to consider asset object reuse. Asset object reuse is important because of the remaining information that may reside on a hard disk or any other type of media. Even when data has been sanitized, there may be some remaining information. This is known as data remanence. Data remanence is the residual data that remains after data has been erased. Any asset object that may be reused will have some remaining amount of information left on media after it has been erased. Best practice is to wipe the drive with a minimum of seven passes or random ones and zeros. For situations where that is not sufficient, physical destruction of the media may be required.

When such information is deemed too sensitive, the decision may be made not to reuse the objects but to dispose of the assets instead. Asset disposal must be handled in an approved manner. As an example, media that has been used to store sensitive or secret information should be physically destroyed. Before decommissioning or disposing of any systems or data, you must understand any existing legal requirements pertaining to records retention. When archiving information, consider the method for retrieving the information.

Testing

Before products are released, they must typically go through some type of unit, integration, regression, validation, and acceptance testing. The idea is to conduct tests to verify that the product or application meets the requirements laid out in the specification documents.

For some entities, validation is also performed. The U.S. federal government specifies this process as certification and accreditation. Federal agencies are required by law to have their IT systems and infrastructures certified and accredited. Certification is the process of validating that implemented systems are configured and operating as expected. If management agrees with the findings of the certification, the report is formally approved. When comparing products, all products must be validated with identical tests. The formal approval of the certification is the accreditation process and authorization to operate in a given environment.

Testing is discussed in more detail later in the “Best Practices” section of this chapter.

Development Approaches

Carrying out security activities across the system or software life cycle requires that specific controls be put in place. These controls and security checkpoints start at design and development and do not end until decommissioning. Software development models provide the framework needed to plan and execute milestones and delivery cycles. Some of the most popular development approaches include agile, waterfall, and spiral methodologies.

Best Practices

Programmers must also assume that attempts will be made to subvert the behavior of the program directly, indirectly, or through manipulation of the software. The following are some programming best practices:

• Do not rely on any parameters that are not self-generated.
• Avoid complex code, keeping code simple and small when possible.
• Don't add unnecessary functionality. Programmers should only implement functions defined in the software specification.
• Minimize entry points and have as few exit points as possible.
• Verify all input values. Input must be the correct length, range, format, and data type.
• Interdependencies should be kept to a minimum so that any process modules or components can be disabled when not needed.
• Modules should be developed that have high cohesion and low coupling.

Blocking Use of External Media

Enterprise organizations rely on controlling which services and device capabilities can be used, and even where they can be used. Limiting or prohibiting the use of cameras and cell phones can help prevent data leakage from secure areas. Limiting the use of external media and USB functionality that allows devices to act as hosts for USB external devices like cameras or storage can also help to limit the potential for misuse of devices. This can be a useful privacy control or may be required by the organization as part of documentation processes.

Some organizations go so far as to block printers from accessing the Internet. Print blocking means if you work around many Wi-Fi locations or you have many computers or printers in one area, you can prevent others from being able to print on your printer or intercept files being sent to that printer.

Remote Desktop Protocol Blocking

Desktop sharing programs are extremely useful, but there are potential risks. One issue is that anyone who can connect to and use your desktop can execute or run programs on your computer. A search on the Web for Microsoft Remote Desktop Services returns a list of hundreds of systems to which you can potentially connect if you can guess the username and password.

At a minimum, these ports and applications should be blocked or restricted to those individuals who have a need for this service. Advertising this service on the Web is also not a good idea. If this is a public link, it should not be indexed by search engines. There should also be a warning banner on the page that states that the service is for authorized users only and that all activity is logged.

Another issue with desktop sharing is the potential risk from the user's point of view. If the user shares the desktop during a videoconference, then others in the conference can see what is on the presenter's desktop. Should there be a folder titled “divorce papers” or “why I hate my boss,” everyone will see it.

Application sharing is fraught with risks as well. If the desktop sharing user then opens an application such as email or a web browser before the session is truly terminated, anybody still in the meeting can read and/or see what's been opened. Any such incident looks highly unprofessional and can sink a business deal.

Clipboard Privacy Controls

When working on any type of application on any type of device, sometimes it is much easier to cut, copy, and paste that address information into a text or the URL into a browser. However, security professionals should know that some systems, including Androids, have incredibly insecure clipboards. Any application on an Android phone can read it without your permission. Any application that is installed that declares the permission android.permission.READ_CLIPBOARD in their AndroidManifest.xml file is automatically granted this permission when it is installed, meaning they can read the Android clipboard. In Windows, information is copied into Clipboard History in clear text and synced across different devices and accounts. It is convenient but not very secure. It is generally recommended that you never copy any sensitive data.

Restricted Virtual Desktop Infrastructure Implementation

Remember dumb terminals and the thin client concept? This has evolved into what is known as the virtual desktop infrastructure (VDI). This centralized desktop solution uses servers to serve up a desktop operating system to a host system. Each hosted desktop virtual machine is running an operating system such as Windows 11 or Windows Server 2019. The remote desktop is delivered to the user's endpoint device via Remote Desktop Protocol (RDP), Citrix, or other architecture. Technologies such as RDP are great for remote connectivity, but they can also allow remote access by an attacker. Questions about these technologies are likely to appear on the CASP+ exam.

This system has lots of benefits, such as reduced onsite support and greater centralized management. However, a disadvantage of this solution is that there is a significant investment in hardware and software to build the backend infrastructure, as well as security issues. To create a more restrictive interface, best practices include disabling local USB, segregating networks, restricting access, and doing a thorough job building the master image. An administrator should avoid bundling all applications in the base image. The best way to manage this is to create a clean base image and then manage applications with profiles and groups.

Data Classification Blocking

Not all data is created equal. A data classification policy describes the classification structure used by the organization and the process used to properly assign classifications to data. Data classification informs us of what kind of data we have, where it is, and how well we need to protect it. Combining data classification with a data loss prevention (DLP) policy results in your most sensitive data being the most protected. Security policies around the protection of data should be implemented with realistic and easy-to-understand procedures that are automated and audited periodically. Security policy should also outline how employees are using data and downloading files and how they are protecting them. A rule of not allowing certain data classes to be removed from protected enclaves is one way of blocking sensitive data from leaving the environment.

Watermarking

Although the term steganography is typically used to describe illicit activities, watermarking is used for legal purposes. It is typically used to identify ownership or the copyright of material such as videos or images. If any of these items are copies, the digital copy would be the same as the original; therefore, watermarking is a passive protection tool. It flags the data's ownership but does not degrade it in any way. It is an example of digital rights management.

Digital Rights Management

Digital rights management (DRM) is an entire suite of technologies designed to protect digital content. As an example, you may be reading a copy of this book on your tablet, yet that does not mean the publisher wants to provide free copies to 100 of your closest friends! That is the situation for which DRM is designed: it helps prevent copyright infringement online and thus helps the copyright holder maintain control of the information.

Network Traffic Analysis

Network traffic analysis (NTA) is important for networks because sophisticated attackers frequently go undetected in a victim's network for an extended period. Attackers can blend their traffic with legitimate traffic that only skilled network analysts know how to detect. A skilled cybersecurity professional should know how to identify malicious network activity as well as network protocols, network architecture, intrusion detection systems, network traffic capture, and traffic analysis. Network tools commonly used to analyze captured network traffic include Wireshark and the command-line versions Tshark or TCPdump.

Network Traffic Decryption/Deep Packet Inspection

Wireshark can also be used for some packet inspection, but there are tools that go deeper. Deep packet inspection (DPI) is a form of packet filtering that is able to inspect the information as well as the contents of the packet itself. Wireshark can tell that HTTP is being used but cannot view the contents of an encrypted packet. DPI has the ability to do something about traffic that fits a profile, such as dropping the whole packet or limiting bandwidth. Tools like nDPI are open-source tools, while Cisco's Network Based Application Recognition (NBAR) is on many Cisco devices.

Metadata/Attributes

Metadata generated as a regular part of operations, communications, and other activities can also be used for incident response. Metadata is information about other data. In the case of systems and services, metadata is created as part of files and embedded documents, is used to define structured data, and is included in transactions and network communications amongst many other places you can find it. Metadata attributes express qualifications on content and can be used to modify how the content is processed or filtered. Another use is to flag content based on values or status. Metadata attributes can provide a list of one or more qualifications such as administrator programmer. This means the content applies to both administrators and programmers.

The following are common types of metadata to understand:

• Email: This includes headers and other information found in an email. Email headers provide specifics about the sender, the recipient, the date, and time the message was sent, and if the email had an attachment.
• Mobile: Data is collected by phones and other mobile devices including call logs, SMS and other message data, data usage, GPS location tracking, and cellular tower information. Mobile metadata is incredibly powerful because of the amount of geospatial information that is recorded about where the phone has traveled.
• Web: This is embedded into a website as part of the code of the website but is invisible to average users and includes meta tags, headers, cookies, and other information that may help with search engine optimization, website functionality, advertising, and tracking.
• File: This is a powerful tool when reviewing when a file was created, how it was created, if and when it was modified, and who modified it. Metadata is commonly used for forensics and other investigations, and most forensic tools have built-in metadata viewing capabilities.

Password Repository Application

A password repository is a password vault to keep all your passwords safe. Just about every website that you visit today, from banking and social media accounts to shopping applications, require a user account and password. It is very difficult for a human being to remember different passwords for all of those accounts, so many end users create simple passwords like “123456789” or “Password123!” if complexity is required. Several examples of these include LastPass, Dashlane, and Keychain.

End-User Password Storage

A password repository will store passwords for you securely and assist in the generation of new ones. A password manager is essentially an encrypted vault for storing passwords that is itself protected by a master password. To obtain access to the passwords stored in the manager, a user has to know the master password; in many cases, a second authentication factor is required as well.

Password vaults can be used to simply store passwords for easy recall, but one of the best features of most password managers is their ability to generate passwords. A lengthier password is more protected and harder to crack, and the passwords generated by password managers are combinations of random numbers and letters that are very secure.

Another significant feature of most password managers is the ability to automatically fill in passwords to stored sites. By using that feature you won't have to type anything but the master password, and it's also a good way to avoid having passwords stolen by keylogging malware.

Most organizations have somewhat limited visibility into what passwords their employees are using, which can increase their risk both on premises and in the cloud. Another risk factor for passwords is that many of those employees reuse those passwords for multiple accounts, both personal and professional. With the adoption of cloud infrastructure, many organizations still struggle with enforcing password policies on all systems. With so many applications in the SaaS model, a business should look to using a next-generation password management system using multifactor authentication (MFA) and single sign-on (SSO) for security and compliance.

Another option for enterprise organization is a physical hardware key manager to combat the challenge of memorizing complex passphrases and keep employees from reusing passwords across multiple applications. Using a hardware key manager is a really good way of creating and maintaining passwords for all account logins.

Privileged Access Management

Privileged users have accounts that give them complete access to your IT ecosystem. These accounts can belong to internal administrators or external contractors, allowing them to manage network devices, operating systems, and applications. Because of their level of access, admin credentials are the number-one target of most bad actors. Admins can create other admins.

With an ever-changing landscape and staffing, managing these privileged accounts becomes difficult. Access management tooling allows insight into who is doing what in the environment. This allows secure access from a central location and adapts to security solutions already deployed in the environment.

Transitive Trust

Transitive trust theory means that if A trusts B and B trusts C, then logically A should be able to trust C. In Microsoft Active Director, transitive trust is a two-way relationship between domains. When a new domain is created, it automatically shares resources with its parent by default. This allows a user to access resources in both the child and the parent.

OpenID

OpenID is an open standard that is used as an authentication scheme. OpenID allows users to log on to many different websites using the same identity on each of the sites. As an example, you may log in to a news site with your Facebook username and password. OpenID was developed by the OpenID Foundation. OpenID works as a set of standards that includes OpenID Authentication, Attribute Exchange, Simple Registration Extension, and Provider Authentication Policy Exchange.

OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to sign in a user to an application securely. When you use the Microsoft identity platform's implementation of OpenID Connect, you can add sign-in and API access to your apps.

Security Assertion Markup Language

Security Assertion Markup Language (SAML) is one example of a protocol designed for cross-web service authentication and authorization. SAML is an XML-based standard that provides a mechanism to exchange authentication and authorization data between different entities.

Over time, SAML promises to improve new generations of web service. The protocol was created by the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit consortium that develops and adopts open standards for the global information society. One outcome of its work is SAML, which allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject. This means that SAML allows users to authenticate once and then be able to access services offered by different companies. At the core of SAML is the XML schema that defines the representation of security data; this can be used to pass the security context between applications.

For SAML to be effective on a large scale, trust relationships need to be established between remote web services. The SAML specification makes use of pairwise circles of trust, brokered trust, and community trust. Extending these solutions beyond the Internet has been problematic and has led to the proliferation of noninteroperable proprietary technologies. In terms of protocol sequences, SAML is similar to OpenID.

SAML assertions are communicated by a web browser through cookies or URL strings. These include the following:

• MIME SAML assertions are packaged into a single Multipurpose Internet Mail Extensions (MIME) security package.
• SOAP SAML assertions are attached to the Simple Object Access Protocol (SOAP) document's envelope header to secure the payload.

Shibboleth

Shibboleth can be described as a distributed web resource access control system. Shibboleth enhances federation by allowing the sharing of web-based resources. When you use Shibboleth, the target website trusts the source site to authenticate its users and manage their attributes correctly. The disadvantage of this model is that there is no differentiation between authentication authorities and attribute authorities.

Discretionary Access Control

Discretionary access control (DAC) gives users the capability to access organizational files and directories. DAC is based on the decision of the owner of the file or directory. DAC uses access control lists (ACLs) along with the Unix permission file system.

Mandatory Access Control

Mandatory access control (MAC) has been used by the government for many years. All files controlled by the MAC policies are based on different security levels. MAC allows for the system to run at the same or lower levels. Overriding MAC requires authorization from senior management.

Role-Based Access Control

Role-based access control (RBAC) systems rely on roles that are then matched with privileges that are allocated to those roles. This makes RBAC a popular option for enterprises that can quickly categorize personnel with roles like “cashier” or “database administrator” and provide users with the appropriate access to systems and data based on those roles. RBAC systems have some fundamental criteria to follow:

• Role assignment, which states that subjects can only use permissions that match a role they have been assigned.
• Role authorization, which states that the subject's active role must be authorized for the subject. This prevents subjects from taking on roles they shouldn't be able to.
• Permission authorization, which states that subjects can only use permissions that their active role is allowed to use.

These rules together describe how permissions can be applied in an RBAC system and hierarchies can be built that allow specific permissions to be accessible at the right stages based on roles in any particular ecosystem.

Rule-Based Access Control

Rule-based access control, sometimes called RBAC (and sometimes RuBAC to help differentiate it from role-based access control) is an applied set of rules or ACLs that apply to various objects or resources. When an attempt is made to access an object, the rule is checked to see if the access is allowed. A popular model of rule-based access control is a firewall rule set.

Attribute-Based Access Control

Attribute-based access control (ABAC) schemes are suitable for application security, where they are often used for enterprise systems that have complicated user roles and rights that vary depending on the roles that users have and the way they relate with a system. They're also used with databases and content management systems, microservices, and APIs for similar purposes.

Remote Authentication Dial-in User Service

In the Microsoft world, the component designed for remote access is Remote Access Services (RAS). RAS is designed to facilitate the management of remote access connections through dial-up modems. Unix systems also have built-in methods to enable remote access. Historically, these systems worked well with Remote Authentication Dial-In User Service (RADIUS), a protocol developed to be a centralized sign-on solution that could support authentication, authorization, and accountability. This method of remote access has been around for a while.

When other devices want to access the server, it sends a request message for matching the credentials. In response to this request, the server will give an access-accept message to the client if the credentials are correct and access-reject if the credentials are not. RADIUS is an open standard and can be utilized on other devices. RADIUS encrypts only passwords, not the username.

Terminal Access Controller Access Control System

Cisco has implemented a variety of remote access methods through its networking hardware and software. Originally, this was Terminal Access Controller Access Control System (TACACS). TACACS has been enhanced by Cisco and expanded twice. The original version of TACACS provided a combination process of authentication and authorization. This was extended to Extended Terminal Access Controller Access Control System (XTACACS). XTACACS is proprietary to Cisco and provides separate authentication, authorization, and accounting processes. The most current version is TACACS+. It has added functionality and extended attribute control and accounting processes. TACACS+ also separates the authentication and authorization process into three separate areas: authentication, authorization, and accounting. While these processes could even be hosted on separate servers, it's not necessary.

Diameter

The Diameter protocol was designed to be an improvement over RADIUS and have better handling of mobile users (IP mobility). Diameter provides the functions of authentication, authorization, and accounting. However, RADIUS remains very popular.

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol (LDAP) is an application protocol that is used for accessing directory services across a TCP/IP network. Active Directory (AD) is Microsoft's implementation of directory services and makes use of LDAP.

Kerberos

Kerberos has three parts: a client, a server, and a trusted third-party key distribution center (KDC) to mediate between them. Clients obtain tickets from the KDC, and they present these tickets to servers when connections are established. Kerberos tickets represent the client's credentials. Kerberos relies on symmetric key cryptography. Kerberos has been the default authentication mechanism used by Windows for both the desktop and server OS since Windows 2000 going forward. Kerberos offers Windows users faster connections, mutual authentication, delegated authentication, simplified trust management, and interoperability. Kerberos V5 [RFC4120] implementation may upgrade communication between clients and Key Distribution Centers (KDCs) to use the Transport Layer Security (TLS) [RFC5246] protocol. The TLS protocol offers integrity and privacy protected exchanges that can be authenticated using X.509 certificates, OpenPGP keys [RFC5081], and usernames and passwords via SRP [RFC5054].

Kerberos does have some areas that can be targeted by criminals. One of these is the fact that Kerberos, like all authentication protocols, has a defined life span. As such, any network using the Kerberos protocol for authentication will need to ensure that the clocks on all systems are synchronized through the use of a protocol such as Network Time Protocol (NTP). Also note that it is important to secure NTP. How to do so depends on your particular configuration; however, if for instance your network was receiving NTP information from pool.ntp.org, then the IP addresses associated with those particular NTP servers should be the only IP addresses permitted into your network over UDP port 123, the default NTP port. More advanced configurations are available. Kerberos is discussed further in the “Single Sign-On” section later in this chapter.

OAuth

Open Authorization (OAuth) is an authorization standard used by many websites. Its purpose is to allow a user or a service to access resources. It allows a user to authorize access to a third-party resource without providing them with the user's credentials. As an example, you might allow a Facebook app to access your Facebook account. In this situation, OAuth would allow an access token to be generated and issued to the third-party application by an authorization server with the approval of the Facebook account holder. As a side note, the process of using a small piece of data in place of data to be kept more secure is called tokenization.

802.1X

IEEE 802.1X is an IEEE standard for port-based Network Access Control (NAC). 802.1X is widely used in wireless environments, and it relies on EAP. 802.1X acts as an application proxy. It's much like a middleman in the authentication process.

For wireless authentication, 802.1X allows you to accept or reject a user who wants to be authenticated. There are three basic parts to 802.1X:

• The user
• An authentication server
• An authenticator acting as the go-between, typically the access point or wireless switch

It starts with a user initiating a “start” message to authenticate. The message goes to the authenticator, usually the access point. The AP requests the user's identity. The user responds with a packet containing the identity, and the AP forwards this packet to the authentication server. If the authentication server validates the user and accepts the packet, the AP is notified. The AP then places the user in an authorized state, allowing their traffic to go forward.

Extensible Authentication Protocol

Extensible Authentication Protocol (EAP) is an authentication framework that is used in wireless networks. EAP defines message formats and then leaves it up to the protocol to define a way to encapsulate EAP messages within that protocol's message. There are many different EAP formats in use, including EAP-TLS, EAP-TTLS, EAP-PSK, and EAP-MD5. Two common implementations of EAP are PEAP and LEAP.